Citrix Cloud

Configure SAML authentication in Citrix Cloud using ADFS

This article describes how to configure the relying party trust that Citrix Cloud requires for signing in to Citrix Workspace or Citrix Cloud using SAML.

After you complete the steps in this article, you can configure the SAML connection between your ADFS server and Citrix Cloud as described in Connect SAML as an identity provider in Citrix Cloud. For guidance for entering the correct ADFS values for your SAML connection, see SAML configuration in Citrix Cloud in this article.


The instructions in this article assume that you have an operating ADFS server deployment with Citrix FAS in your environment. Citrix FAS is required to provide single sign-on to VDAs during session launch.

For more information, refer to the following articles:

Configure a relying party trust for Citrix Cloud

  1. From the AD FS management console, expand the AD FS node in the left pane.
  2. Right-click Relying Party Trust and select Add Relying Party Trust.

    Add Relying Party Trust menu option

    The Add Relying Party Trust wizard appears.

  3. Select Claims aware and then select Next.

     ADFS Trust Wizard with Claims aware option selected

  4. In Federation metadata address, enter Select Next.

    ADFS Trust Wizard with federation metadata address entered

  5. For the display name, enter CitrixCloudProd. Select Next.

    ADFS Trust Wizard with display name entered

  6. For the access control policy, select Permit everyone. Select Next.

    ADFS Trust Wizard with access control policy highlighted

  7. On the Ready to Add Trust screen, select Next.
  8. On the Finish screen, select Configure claims issuance policy for this application. Select Next.

    ADFS console with Edit Claim Issuance Policy menu option selected

  9. Right-click the newly-created relaying party trust and select Edit Claim Issuance Policy.
  10. Click Add Rule and then select Send LDAP Attributes as Claims. Select Next.
  11. In Claim rule name, enter CitrixCloud.
  12. In Attribute store, select Active Directory.
  13. Under Mapping of LDAP attributes to outgoing claim types, add the following LDAP attributes, exactly as shown:

    LDAP attribute Outgoing Claim Type
    User-Principal-Name Name ID
    User-Principal-Name cip_upn
    E-Mail-Addresses cip_email
    objectSID cip_sid
    objectGUID cip_oid
    Display-Name displayName
    Given-Name firstName
    Surname lastName

    Configured claim rule

  14. Select Finish.

Modify a Citrix Cloud relying party trust using PowerShell

If you’ve configured your ADFS server using the default “out of the box” configuration, the steps in this section enable you to update it so it meets the Citrix-recommended configuration. This task is required to resolve an issue where SAML Single Logout from Citrix Cloud or Citrix Workspace fails if the nameidentifier attribute isn’t included in the claim rule set or isn’t the first SAML attribute in the claim rule set.


You don’t need to perform this task if you created your claim rule set using the steps in Configure a relying party trust for Citrix Cloud in this article.

To complete this task, you replace the existing rule set with a new claim rule set using PowerShell. The ADFS management console doesn’t support this type of operation.

  1. On the ADFS server, locate the PowerShell ISE. Right-click and select Run as administrator.
  2. Back up your existing ADFS claim rules to a text file:

    Get-ADFSRelyingPartyTrust -name "CitrixCloudStaging" | Select-Object -ExpandProperty IssuanceTransformRules | Out-File "$env:USERPROFILE\desktop\claimrulesbackup.txt"
  3. Download the claimrules.txt file that Citrix provides at
  4. Copy the claimrules.txt file to your desktop.
  5. Import the required claim rules using the claimrules.txt file:

    Set-ADFSRelyingPartyTrust -Name "CitrixCloudProd" `
                          -MetadataUrl "" `
                          -AutoUpdateEnabled $True `
                          -IssuanceTransformRulesFile "$env:USERPROFILE\desktop\claimrules.txt" `
                          -SignedSamlRequestsRequired $True `
                          -SamlResponseSignature "MessageAndAssertion" `
                          -Enabled $True

Update SAML signing settings for the relying party trust using PowerShell

By default, ADFS relying party trusts have the following settings:

  • EncryptClaims: True
  • SignedSamlRequestsRequired: False
  • SamlResponseSignature: AssertionOnly

For increased security, Citrix recommends using signed SAML requests for both Single Sign-on (SSO) and Single Logout. This section describes how to update the signing settings of an existing relying party trust using PowerShell so they meet the Citrix-recommended configuration.

  1. Obtain the current RelyingPartyTrust configuration on your ADFS server.

    Get-ADFSRelyingPartyTrust -TargetName "CitrixCloudProd"
  2. Update the CitrixCloudProd relying party trust settings.

    Set-ADFSRelyingPartyTrust -Name "CitrixCloudProd" `
                          -SignedSamlRequestsRequired $True `
                          -SamlResponseSignature "MessageAndAssertion"
  3. Contact Citrix Support and request to activate the authentication feature EnableSamlLogoutSigningAndPost on your Citrix Cloud customer. This causes Citrix Cloud to send SAML Single Logout requests as signed POST requests instead of unsigned Redirect requests when users sign out of Citrix Workspace or Citrix Cloud. Sending signed POST requests is required if the SAML provider requires signed requests for Single Logout and rejects unsigned redirects.

SAML configuration in Citrix Cloud

When you configure the SAML connection in Citrix Cloud (as described in Add SAML provider metadata to Citrix Cloud), you’ll enter the values for ADFS as follows:

In this field in Citrix Cloud Enter this value
Entity ID, where is your ADFS server domain.
Sign Authentication Request Yes
SSO Service URL, where is your ADFS server domain.
Binding Mechanism HTTP Post
SAML Response Sign Either Response Or Assertion
Authentication Context Unspecified, Exact
Logout URL, where is your ADFS server domain.
Configure SAML authentication in Citrix Cloud using ADFS